This repository has been archived by the owner on May 30, 2024. It is now read-only.
Severe Security Vulnerability In Async Dependency Version 3.x #266
Comments
|
Hello @anthony-langford, thank you for the report, we will work on this. Filed internally as 187508. |
LaunchDarklyReleaseBot
added a commit
that referenced
this issue
Feb 8, 2023
* update diagnostic event info for OS name, data store type, Node version * standardize linting * disallow window and document * fix null/undef checks * misc linting fixes * inlineUsersInEvents is not an unknown option * drop node-sha1 dependency * don't omit streamInits.failed when it's false * bump request dependency to get security patch; loosen some exact dependencies * remove request package; improve polling cache logic + add test * bump typescript version to fix build error in Node 6 * update @types/node to fix TypeScript check step * lint * make sure we keep polling regardless of whether we got new data * use launchdarkly-eventsource, make stream retry behavior consistent * stream retry delay option should be in seconds & should be included in diagnostics * minor test fix * fix: Throw an error on malformed user-supplied logger * don't call unref() on Redis client; ensure that database integration tests close the store * update Redis driver to major version 3 * add test case * allow redisOpts parameter to be omitted * add logger adapter shim + tests * minor cleanup and comments for ch74741 fix (logger wrapper) * fix proxy tunnel configuration and make sure it's used in streaming * change some string concatenation expressions to use interpolation * feat: upgrade winston (#189) * fix merge * remove support for indirect/patch and indirect/put (#182) * reuse same Promise and same event listeners for all waitForInitialization calls * better docs for waitForInitialization + misc doc cleanup (#184) * update js-eventsource to 1.3.1 for stream parsing bugfix (#185) * fix broken logger format (#186) * retroactively update changelog for bugfix in 5.13.2 release * allow get/getAll Redis queries to be queued if Redis client hasn't yet connected * set stream read timeout * adding the alias functionality (#190) * Removed the guides link * remove monkey-patching of setImmediate * Persist contextKind property during feature and custom event transformations (#194) * add inlineUsersInEvents option in TypeScript * Add support for seed to bucketUser * Add note for incorporating seed into evaluation * Send events when the evaluation is from an experiment * Use seed to evaluate. * Clean up test descriptions * Rename variable to be less confusing * Use ternary to eliminate mutation * Make return signature more consistent * Un-prettier the tests * redis lower bounds bump (#199) * update launchdarkly-js-test-helpers to fix TLS tests (#200) * update js-eventsource to remove vulnerability warning (#201) * add CI jobs for all compatible Node versions * CI fixes * more CI fixes * comment * use default value to simplify config * (6.0 - #1) stop saying we're compatible with Node <12 (#203) * add CI jobs for all compatible Node versions (#202) * (6.0 - #2) remove Redis integration (#204) * allow feature store to be specified as a factory (so it can get our logger) * (6.0 - #3) remove Winston (#205) * remove deprecated things for 6.0 (#206) * update node-cache to 5.x (drops old Node compat) * update semver to 7.x (drops old Node compat) * update uuid to 8.x (Node compat, perf improvements, bugfixes) * update dev dependencies * linter * replace lrucache package with lru-cache (#209) * make yaml dependency optional (#210) * update release metadata to include maintenance branch * remove package-lock.json (#211) * rm prerelease changelog * (big segments #1) add interfaces for big segments (#212) * (big segments #2) add all components for big segments except evaluation (#213) * (big segments #3) implement big segments in flag evaluation (#214) * (big segments #4) add standard test suite for big segment store tests + refactor feature store tests (#215) * move new interfaces to a module instead of a namespace (#216) * fix TS export of CachingStoreWrapper * use Releaser v2 config * fix overly specific test expectation that breaks in Node 17 * Initial work on FlagBuilder (#219) * Add TestData factory(with some dummy methods); Initial work on FlagBuilder * fixed indentation and linter errors; fixed an error in update; fixed incorrect test label * fixed typo in TestData store * converted boolean variation constants to be file variables instead of class variables Co-authored-by: charukiewicz <christian@foxhound.systems> Co-authored-by: belevy <ben@foxhound.systems> * implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface * converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped * Implement stream processor(data source) interface for test data * Add TestData to index.js and write out the types for TestData and friends * added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag * Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments * modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor. * Fix linter error on defaulted callback * explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason * capitalize Big Segments in docs & logs * documentation comment fixes for TestData * pin TypeScript to 4.4.x * move TestData and FIleDataSource to integrations module * lint * rename types used by TestData for clarity (#229) * use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (#230) * don't ever use for...in (#232) * don't ever use for...in * add null guard * bump launchdarkly-eventsource dependency for sc-136154 fix * use TestData in our own tests (#231) * use TestData in our own tests * update TS interface * lint * typo * fix allFlagsState behavior regarding experimentation * lint * allow "secondary" to be referenced in clauses * don't throw an exception for non-string in semver comparison * correctly handle "client not ready" condition in allFlagsState * lint * Flags with a version of 0 reported as 'unknown' in summary events. (#239) * Initial draft of typescript types. (#236) * Implement attribute reference support. * implement contract test service, not including big segments (#242) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * Implement Application tags for the node SDK. (#241) * update js-eventsource to 1.4.4 for security fix * remove package-lock.json * adjust test expectation about error message to work in recent Node versions * #3 Add context filtering and legacy to single kind conversion. (#238) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * #4 Switch from user to context for events. (#244) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * #5 Rlamb/sc 142950/implement u2c evaluation (#248) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * #6 Rlamb/sc 145767/attribute reference improvements (#250) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * #7 Rlamb/sc 146614/do not support bucketby for experiments (#251) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * #8 Rlamb/sc 147263/treat cyclic segements as errors (#252) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * Do not use the secondary key for experiments. (#256) * Resolve issues with V2 test harness. (#258) * Adds link to Relay Proxy docs * Update index.d.ts Co-authored-by: Eli Bishop <eli@launchdarkly.com> * ensure setTimeout task is cleared when polling is stopped * fix some flaky tests using async blocking logic * rm unused * simplify polling implementation using setInterval * Update the test data source for U2C. (#257) * use newer js-test-helpers for async tests * add request number to timeout message * Enforce 64 character limit for application tag values. (#263) * Changed transient back to anonymous. (#264) * Fixed operator field key name in TestDataRuleBuilder (#246) * Do not set `inExperiment` if there is not a context for the specified kind. (#266) * [sc-160948] Switch to partial URL encoding. (#265) * Update event schema version. (#267) * [sc-171125] Do now allow indexing into an array with an attribute reference. (#268) * [sc-174033] Remove support for secondary. (#269) * Treat 'kind' and '/kind' the same. (#270) * [sc-176598] Update node U2C with latest changes from main. (#272) * [sc-176599] Update documentation for privateAttributes _meta attribute of contexts. (#271) * Remove copy/paste error. (#274) * [sc-177983] Add support for executing old style user tests. (#275) * Update release metadata. * Do not generate events for bad contexts. (#277) Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com> * Handle nested segment dependencies. (#278) * fix: bump async dependencies --------- Co-authored-by: Eli Bishop <eli@launchdarkly.com> Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com> Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com> Co-authored-by: Chris West <solo-github@goeswhere.com> Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Mike Zorn <mike@launchdarkly.com> Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com> Co-authored-by: Robert J. Neal <rneal@launchdarkly.com> Co-authored-by: Ben Levy <benjaminlevy007@gmail.com> Co-authored-by: charukiewicz <christian@foxhound.systems> Co-authored-by: belevy <ben@foxhound.systems> Co-authored-by: charukiewicz <charukiewicz@protonmail.com> Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com> Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com> Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com> Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com> Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com> Co-authored-by: Louis Chan <lchan@launchdarkly.com> Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com>
|
Hello @anthony-langford, we have just released Node Server SDK 7.0.1, which should address this issue. Please feel free to open an issue with us if you find something else. |
|
Thanks for the quick resolution @louis-launchdarkly 🙏 |
bk-cribl
pushed a commit
to criblio/node-server-sdk
that referenced
this issue
May 18, 2023
* add mention of singleton usage * update diagnostic event info for OS name, data store type, Node version * standardize linting * disallow window and document * fix null/undef checks * misc linting fixes * inlineUsersInEvents is not an unknown option * drop node-sha1 dependency * don't omit streamInits.failed when it's false * bump request dependency to get security patch; loosen some exact dependencies * remove request package; improve polling cache logic + add test * bump typescript version to fix build error in Node 6 * update @types/node to fix TypeScript check step * lint * make sure we keep polling regardless of whether we got new data * use launchdarkly-eventsource, make stream retry behavior consistent * stream retry delay option should be in seconds & should be included in diagnostics * minor test fix * fix: Throw an error on malformed user-supplied logger * don't call unref() on Redis client; ensure that database integration tests close the store * update Redis driver to major version 3 * add test case * allow redisOpts parameter to be omitted * add logger adapter shim + tests * minor cleanup and comments for ch74741 fix (logger wrapper) * fix proxy tunnel configuration and make sure it's used in streaming * change some string concatenation expressions to use interpolation * feat: upgrade winston (launchdarkly#189) * fix merge * remove support for indirect/patch and indirect/put (launchdarkly#182) * reuse same Promise and same event listeners for all waitForInitialization calls * better docs for waitForInitialization + misc doc cleanup (launchdarkly#184) * update js-eventsource to 1.3.1 for stream parsing bugfix (launchdarkly#185) * fix broken logger format (launchdarkly#186) * retroactively update changelog for bugfix in 5.13.2 release * allow get/getAll Redis queries to be queued if Redis client hasn't yet connected * set stream read timeout * adding the alias functionality (launchdarkly#190) * Removed the guides link * remove monkey-patching of setImmediate * Persist contextKind property during feature and custom event transformations (launchdarkly#194) * add inlineUsersInEvents option in TypeScript * Add support for seed to bucketUser * Add note for incorporating seed into evaluation * Send events when the evaluation is from an experiment * Use seed to evaluate. * Clean up test descriptions * Rename variable to be less confusing * Use ternary to eliminate mutation * Make return signature more consistent * Un-prettier the tests * redis lower bounds bump (launchdarkly#199) * update launchdarkly-js-test-helpers to fix TLS tests (launchdarkly#200) * update js-eventsource to remove vulnerability warning (launchdarkly#201) * add CI jobs for all compatible Node versions * CI fixes * more CI fixes * comment * use default value to simplify config * (6.0 - #1) stop saying we're compatible with Node <12 (launchdarkly#203) * add CI jobs for all compatible Node versions (launchdarkly#202) * (6.0 - #2) remove Redis integration (launchdarkly#204) * allow feature store to be specified as a factory (so it can get our logger) * (6.0 - launchdarkly#3) remove Winston (launchdarkly#205) * remove deprecated things for 6.0 (launchdarkly#206) * update node-cache to 5.x (drops old Node compat) * update semver to 7.x (drops old Node compat) * update uuid to 8.x (Node compat, perf improvements, bugfixes) * update dev dependencies * linter * replace lrucache package with lru-cache (launchdarkly#209) * make yaml dependency optional (launchdarkly#210) * update release metadata to include maintenance branch * remove package-lock.json (launchdarkly#211) * rm prerelease changelog * (big segments #1) add interfaces for big segments (launchdarkly#212) * (big segments #2) add all components for big segments except evaluation (launchdarkly#213) * (big segments launchdarkly#3) implement big segments in flag evaluation (launchdarkly#214) * (big segments launchdarkly#4) add standard test suite for big segment store tests + refactor feature store tests (launchdarkly#215) * move new interfaces to a module instead of a namespace (launchdarkly#216) * fix TS export of CachingStoreWrapper * use Releaser v2 config * fix overly specific test expectation that breaks in Node 17 * Initial work on FlagBuilder (launchdarkly#219) * Add TestData factory(with some dummy methods); Initial work on FlagBuilder * fixed indentation and linter errors; fixed an error in update; fixed incorrect test label * fixed typo in TestData store * converted boolean variation constants to be file variables instead of class variables Co-authored-by: charukiewicz <christian@foxhound.systems> Co-authored-by: belevy <ben@foxhound.systems> * implemented FlagRuleBuilder; added .build() methods to FlagBuilder/FlagRuleBuilder and changed tests to avoid using private interface * converted _targets to be Map instead of object literal; changed variationForBoolean to be a module-scoped function instead class-scoped * Implement stream processor(data source) interface for test data * Add TestData to index.js and write out the types for TestData and friends * added testdata documentation to index.d.ts; fix linter errors; changed flag default behavior to create boolean flag * Fix the interface file: reindented to 2 spaces, corrected definition of functions from properties to functions in interfaces; corrected issues in JSDoc comments * modify tests to fix capitalization and actually test the test datasource works as an LDClient updateProcessor. * Fix linter error on defaulted callback * explicitly enable JSDOM types in TypeScript build to avoid errors when jsdom is referenced for some reason * capitalize Big Segments in docs & logs * documentation comment fixes for TestData * pin TypeScript to 4.4.x * move TestData and FIleDataSource to integrations module * lint * rename types used by TestData for clarity (launchdarkly#229) * use varargs semantics for TestFlagBuilder.variations() and add it to the TS interface (launchdarkly#230) * don't ever use for...in (launchdarkly#232) * don't ever use for...in * add null guard * bump launchdarkly-eventsource dependency for sc-136154 fix * use TestData in our own tests (launchdarkly#231) * use TestData in our own tests * update TS interface * lint * typo * fix allFlagsState behavior regarding experimentation * lint * allow "secondary" to be referenced in clauses * don't throw an exception for non-string in semver comparison * correctly handle "client not ready" condition in allFlagsState * lint * Flags with a version of 0 reported as 'unknown' in summary events. (launchdarkly#239) * Initial draft of typescript types. (launchdarkly#236) * Implement attribute reference support. * implement contract test service, not including big segments (launchdarkly#242) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * Implement Application tags for the node SDK. (launchdarkly#241) * update js-eventsource to 1.4.4 for security fix * remove package-lock.json * adjust test expectation about error message to work in recent Node versions * launchdarkly#3 Add context filtering and legacy to single kind conversion. (launchdarkly#238) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * launchdarkly#4 Switch from user to context for events. (launchdarkly#244) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * launchdarkly#5 Rlamb/sc 142950/implement u2c evaluation (launchdarkly#248) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * launchdarkly#6 Rlamb/sc 145767/attribute reference improvements (launchdarkly#250) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * launchdarkly#7 Rlamb/sc 146614/do not support bucketby for experiments (launchdarkly#251) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * launchdarkly#8 Rlamb/sc 147263/treat cyclic segements as errors (launchdarkly#252) Co-authored-by: Eli Bishop <eli@launchdarkly.com> * Do not use the secondary key for experiments. (launchdarkly#256) * Resolve issues with V2 test harness. (launchdarkly#258) * Adds link to Relay Proxy docs * Update index.d.ts Co-authored-by: Eli Bishop <eli@launchdarkly.com> * ensure setTimeout task is cleared when polling is stopped * fix some flaky tests using async blocking logic * rm unused * simplify polling implementation using setInterval * Update the test data source for U2C. (launchdarkly#257) * use newer js-test-helpers for async tests * add request number to timeout message * Enforce 64 character limit for application tag values. (launchdarkly#263) * Changed transient back to anonymous. (launchdarkly#264) * Fixed operator field key name in TestDataRuleBuilder (launchdarkly#246) * Do not set `inExperiment` if there is not a context for the specified kind. (launchdarkly#266) * [sc-160948] Switch to partial URL encoding. (launchdarkly#265) * Update event schema version. (launchdarkly#267) * [sc-171125] Do now allow indexing into an array with an attribute reference. (launchdarkly#268) * [sc-174033] Remove support for secondary. (launchdarkly#269) * Treat 'kind' and '/kind' the same. (launchdarkly#270) * [sc-176598] Update node U2C with latest changes from main. (launchdarkly#272) * [sc-176599] Update documentation for privateAttributes _meta attribute of contexts. (launchdarkly#271) * Remove copy/paste error. (launchdarkly#274) * [sc-177983] Add support for executing old style user tests. (launchdarkly#275) * Update release metadata. * Do not generate events for bad contexts. (launchdarkly#277) Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com> * Handle nested segment dependencies. (launchdarkly#278) Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com> Co-authored-by: Eli Bishop <eli@launchdarkly.com> Co-authored-by: Maxwell Gerber <maxwell.gerber@mulesoft.com> Co-authored-by: Chris West <solo-github@goeswhere.com> Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Mike Zorn <mike@launchdarkly.com> Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com> Co-authored-by: Robert J. Neal <rneal@launchdarkly.com> Co-authored-by: Ben Levy <benjaminlevy007@gmail.com> Co-authored-by: charukiewicz <christian@foxhound.systems> Co-authored-by: belevy <ben@foxhound.systems> Co-authored-by: charukiewicz <charukiewicz@protonmail.com> Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com> Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com> Co-authored-by: Ember Stevens <ember.stevens@launchdarkly.com> Co-authored-by: Ember Stevens <79482775+ember-stevens@users.noreply.github.com> Co-authored-by: Yusinto Ngadiman <yusinto@gmail.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is this a support request?
No.
Describe the bug
There is a security vulnerability in the
asyncdependency. Version7.0.0ofnode-server-sdkcurrently has a dependency onasyncversion3.0.0which is considered a high security risk according to NIST.Updating the
asyncdependency to version 3.2.2 resolves the security issue.To reproduce
N/A
Expected behavior
N/A
Logs
N/A
SDK version
N/A
Language version, developer tools
N/A
OS/platform
N/A
Additional context
https://nvd.nist.gov/vuln/detail/CVE-2021-43138
The text was updated successfully, but these errors were encountered: